Make sure "starttls_required" can't be bypassed

author Holger Weiss <holger@zedat.fu-berlin.de>

Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)

committer Holger Weiss <holger@zedat.fu-berlin.de>

Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)
author Holger Weiss <holger@zedat.fu-berlin.de>
Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)
committer Holger Weiss <holger@zedat.fu-berlin.de>
Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl

index 9bfe225cf541ca09f3f5cd7d489a07b5c371fffb..1591e6ffa5852def0c22bda5fd742e54d615fa3f 100644 (file)
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -735,7 +735,7 @@ wait_for_feature_request({xmlstreamelement, El},
         (StateData#state.sockmod):get_sockmod(StateData#state.socket),
      case {xml:get_attr_s(<<"xmlns">>, Attrs), Name} of
        {?NS_SASL, <<"auth">>}
-         when not ((SockMod == gen_tcp) and TLSRequired) ->
+         when TLSEnabled or not TLSRequired ->
           Mech = xml:get_attr_s(<<"mechanism">>, Attrs),
           ClientIn = jlib:decode_base64(xml:get_cdata(Els)),
           case cyrsasl:server_start(StateData#state.sasl_state,
@@ -856,7 +856,7 @@ wait_for_feature_request({xmlstreamelement, El},
                 end
           end;
        _ ->
-         if (SockMod == gen_tcp) and TLSRequired ->
+         if TLSRequired and not TLSEnabled ->
                  Lang = StateData#state.lang,
                  send_element(StateData,
                               ?POLICY_VIOLATION_ERR(Lang,
author	Holger Weiss <holger@zedat.fu-berlin.de>
	Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)
committer	Holger Weiss <holger@zedat.fu-berlin.de>
	Sun, 12 Oct 2014 00:08:08 +0000 (02:08 +0200)